Securing user accounts in Linux is critical for system administrators, especially when dealing with failed login attempts. By configuring the system to lock user accounts after a certain number of failed attempts, you can reduce the risk of brute force attacks. This lockout mechanism provides an extra layer of security, ensuring that malicious users cannot continuously attempt to guess login credentials.
Linux allows administrators to implement account lockout policies through the pam_tally2 or pam_faillock modules. These modules track login attempts and enforce lockouts when the number of failed attempts exceeds a predefined threshold. Once configured, the system will automatically lock the account, requiring administrative action to unlock it or wait for a defined period.
This guide demonstrates how to configure the account lockout policy using pam_faillock, a widely recommended and more modern method for recent Linux distributions, including Ubuntu, Debian, and CentOS.
Steps to automatically lock accounts after failed login attempts.
- Open the terminal.
Ensure you have root or sudo privileges before proceeding.
- Install the pam_faillock module if it is not already available.
$ sudo apt install libpam-failock
For CentOS or RHEL systems, use yum or dnf instead of apt.
- Edit the pam configuration file for login attempts.
$ sudo nano /etc/pam.d/common-auth
- Add the following line to the file to enable account lockout after 5 failed attempts.
auth required pam_faillock.so preauth silent deny=5 unlock_time=600 auth [default=die] pam_faillock.so authfail deny=5 unlock_time=600 account required pam_faillock.so
deny=5 locks the account after 5 failed attempts. unlock_time=600 unlocks the account after 10 minutes.
- Save and close the file.
- To apply the changes to the sudo authentication, edit the sudo configuration file.
$ sudo nano /etc/pam.d/common-account
- Add the following line to lock accounts after failed sudo login attempts.
account required pam_faillock.so
- Save and close the file.
- Verify the configuration by attempting to log in with incorrect passwords.
After 5 failed attempts, the account will be locked. You can check the status of locked accounts using the following command.
$ faillock --user user_name
- Use faillock to manually unlock a user account.
$ sudo faillock --reset --user user_name
Replace user_name with the actual username of the locked account.
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.